如何使用 boto3 创建特定类型的 IAM 角色?
[英]How to create an IAM role of specific type using boto3?
问题描述
I'm trying to lock down a user to a specific VPC in AWS and following How to Help Lock Down a User's Amazon EC2 Capabilities to a Single VPC |
我正在尝试将用户锁定到AWS的特定VPC并遵循如何帮助将用户的 Amazon EC2 功能锁定到单个 VPC | AWS Security Blog . AWS 安全博客。
It is mentioned that we need to create an IAM role with name VPCLockDown of type AWS Service提到我们需要创建一个名为VPCLockDown的类型为AWS Service的IAM role
and add the services for which the role needs access to.并添加角色需要访问的服务。 like ec2 , lambda etc.像ec2 , lambda等。
I was trying to create this role programatically using boto3 .我试图使用boto3以编程方式创建此角色。
I checked the create_role documentation for creating a role using boto3 .我检查了create_role 文档以使用boto3创建角色。
However, they haven't mentioned anything to specify the type of role and the services that I can specify that the role should have access to.但是,他们没有提到任何内容来指定角色类型和我可以指定角色应该有权访问的服务。
Is there any way to specify these items while creation of the IAM role using boto3有没有办法在使用boto3创建IAM role时指定这些项目
Edit1:编辑1:
I tried creating a service_linked_role as per Sudarshan Rampuria 's answer like我尝试根据Sudarshan Rampuria的回答创建一个 service_linked_role
response = iam.create_service_linked_role(
AWSServiceName='ec2.amazonaws.com',
)
But getting the following error:但收到以下错误:
An error occurred (AccessDenied) when calling the CreateServiceLinkedRole operation: Cannot find Service Linked Role template for ec2.amazonaws.com
2 个解决方案
解决方案1
1 已采纳 2019-12-26 06:41:22
You can use create_service_linked_role() function boto3 to link a role to a service.您可以使用 create_service_linked_role() 函数 boto3 将角色链接到服务。 https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role
解决方案2
0 2019-12-27 04:13:34
Here is a policy that allows a specific IAM User to launch an instance ( RunInstances ), but only in a given VPC:这是一个允许特定 IAM 用户启动实例 ( RunInstances ) 的策略,但仅限于给定的 VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2RunInstancesVPC",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:ap-southeast-2:111111111111:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:ap-southeast-2:111111111111:vpc/vpc-abcd1234" <--- Change this
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-2:111111111111:instance/*",
"arn:aws:ec2:ap-southeast-2:111111111111:volume/*",
"arn:aws:ec2:ap-southeast-2::image/*",
"arn:aws:ec2:ap-southeast-2::snapshot/*",
"arn:aws:ec2:ap-southeast-2:111111111111:network-interface/*",
"arn:aws:ec2:ap-southeast-2:111111111111:key-pair/*",
"arn:aws:ec2:ap-southeast-2:111111111111:security-group/*"
]
}
]
}
You might need to change the Region.您可能需要更改区域。 (I tested it in the Sydney region.) (我在悉尼地区进行了测试。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.